Tag Archives: android

Snapchat user data exposed in huge data theft.

Image courtesy of aturkus Flickr photostream

Image courtesy of aturkus Flickr photostream


Usernames and phone numbers for more than 4.5 million Snapchat users have been published on a website called SnapchatDB.info after attackers took advantage of an exploit disclosed on the 23rd December 2013. According to TechCrunch, SnapchatDB said
“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does”
This is of course not the first vulnerability that has been discovered in the Snapchat service or app, various methods of secretly saving photos or recovering deleted photos have already hit the headlines in recent months, those were vulnerabilities in the app itself and would be exploited on the end-user device. This latest attack is using weaknesses in the API on the Snapchat servers themselves, the API is the method by which a Snapchat client communicates with the Snapchat service. These weaknesses allow for an automated system to send an enormous number of queries to the Snapchat server in a short period of time, discovering whether or not a given telephone number exists in the Snapchat database and retrieving other information associated with that number, of course the numbers themselves will be mobile telephone numbers. This attack, combined with further mining of data, for example through social media could be easily used to build a very large database of personal information for many kinds of further exploitation or resale. Although Snapchat were made aware of these vulnerabilities some months ago, GibsonSec – the publishers of the Proof of Concept exploit, claim that they are still easily exploitable and Snapchat DB proves that point.

 

These two areas, vulnerabilities in mobile apps and vulnerabilities in APIs, are areas still largely under explored by criminals but we fully expect to see malicious exploits, rather than simple proofs-of-concept ramping up over the coming years. We, as users, store ever more data; data often belonging to other people, on our mobile devices and app developers are very interested in getting hold of that data, as are criminals. Far too many apps routinely request (or simply steal) the data contained in your address book for example and far too many app users are willing to surrender this data for the dubious “pleasure” of inviting their friends to yet another social network/messaging platform. Trend Micro’s own data collected in ongoing analysis through our Mobile App Reputation Service reveals that more than 20% of *all* apps are consistently leaking data and the most common data to leak are your contacts, your location, your phone number and details about the handset and SIM.

 

In the old days, back when rainbows were still in black & white, if a stranger were to approach you in the street asking for a copy of your address book that would doubtless strike you as a bizarre request, likewise if a shop assistant insisted on the details of 100 of your friends in return for a discount voucher. Somehow as the data itself has become digitised and the means of transfer invisible and painless this has become entirely acceptable behaviour. Rather than continue this erosion of privacy; users of these types of service would be better advised to use the phone for its long-neglected purpose and maybe give those same friends a call, possibly even arrange to meet up(!) and talk about the great new app you’ve discovered in person, rather than selling your friends down the river.

 

As a social platform, your satisfied customers are your best ambassadors. If you begin to act in ways detrimental to their best interests then a storm is certainly coming, as Path found out to their cost in the early part of 2013.

 

E-currency, E-wallet, staying safe into the future.

Image courtesy of epSos.de

Commerce is certainly heading ever more towards the E. While alternative digital currencies still hover on the verges of mainstream today, the speed of their adoption indicates a positive future for e-money. Credit cards are already becoming out-dated as a form factor. In fact in many parts of the world the plastic card itself has simply become an emotionally comfortable way to get people to pay using NFC (PayPass, payWave etc.) and it does not take a large leap of faith to imagine the transition to the mainstream of the logical next step of e-wallets on an NFC enabled mobile device. Many financial institutions already offer NFC “stickers” to slap on the back of non-NFC enabled devices but the battle is still on for the dominant form-factor for delivery; SD cards, external devices (stickers or sleeves), embedded hardware, Cloud (via QR) or SIM integrated technology all have roles to play, some as short-term bridge technologies, some as the basis for longer-term solutions. For the foreseeable future, these digital links to traditional currency will vastly outnumber the alternative digital currencies.

If you do use digital currencies or NFC, how to secure those e-wallets? Mostly e-wallets are held on mobile devices that are no strangers to vulnerabilities from an Operating System perspective. On the app front Google’s own e-wallet was easily subverted through an escalation of privileges attack. The dominant platform, Android, suffers not only from vulnerabilities, but also from fragmentation. This means that there are many different flavours of Android, from many different manufacturers, many of which will never see an upgrade or security patch. The mechanism for getting a patch from Google to handset is simply too convoluted, relying on both handset manufacturers and carriers to act as middlemen. Middlemen who actually have an interest in getting you to buy a new phone rather than fix your old one… On top of that the (currently) under-explored area of vulnerabilities in the apps themselves and the widespread abuse of app store platforms for spreading Trojan type malware and there’s a perfect storm of threat brewing for e-wallets.

Much of the burden for securing these technologies lies with app developers and handset and OS manufacturers and perhaps the greatest step toward effective security would be the development of, and adherence to, an open standard that includes security mechanisms such as TPM on the mobile platform. Unfortunately Visa are already talking about waiving the need for merchants need to validate their PCI compliance if 75% of their transactions originate from NFC technology!

Of course consumers have a role to play too, making sure they keep their devices physically safe, using effective device locking passwords, enabling remote lock and wipe functionality and making sure that any sensitive information (or preferably all information) is wiped from the device when it will not be in their hands for a period of time, or when they are disposing of it.

As for the Bitcoin type currencies, dividing your assets between multiple wallets and keeping the lion’s share on a secure device that is not used for regular Internet access is your best defence, breaking wallets up into “spending” and “saving” functionality. There is currently no regulator in the Bitcoin world, so every transaction is effectively final.

By 2020, we fully expect digital currency to be embedded in the economies of the early adopter geographies and consequently there will be greater level of malicious interest in your digital pockets. On the security side, we would hope that those standards are more than just a pipe-dream and that effective multi-factor (biometric) authentication has, by then, been integrated into many of the sensitive transactions that we will increasingly carry out online.

For a wider look at our security predictions for 2014 and beyond check out “Blurring Boundaries” and of course 2020: The Series

Government minister embraces the Dark Side.

Image credit: Paul J Everett

It appears that Francis Maude, the Minister for the Cabinet Office in the United Kingdom government is getting a little frustrated with technological solutions available to him in Whitehall. So much so that he has “installed his own wi-fi“. In Whitehall. In his office. In government. Nothing to worry about there then…

The news is particularly ironic, coming on the same day that Mr. Maude’s department issues their press release relating to the “Radical overhaul for Whitehall security“. You don’t say!
Continue reading